Thursday, January 08, 2009

High-speed (10Gb) Packet Inspection

I am involved in a research trying to do a packet inspection on a high-speed (10Gb) [ethernet] network. There are many issues that we have to face.

First, packet drops. We are using software (tools) that requires all packets to be available before the inspection begins. Unfortunately, our network is not clean, there are packet drops. Some packets are missing. This really creates a problem for us.

We could modify the software so that it does not require all packets to be available, or we could "spoof" the missing packets. The idea is that given a timeout, if a packet is not available then we just create a dummy packet. Which one is better (less difficult to do)?

Second, high-speed packet matching library. What kind of library should we use? libnids? tcpflow? libpcap? Not that we are interested in inspecting the content of the packet (payload?). I guess it's something like ngrep but for the whole session (not just one packet).